Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Recently, somebody posted about an XSS on the analytics.twitter.com domain. At first glance, this looks to be nothing more than an alert popper since the cookies are HTTPOnly, there are CSRF tokens on Twitter and the SameSite cookie flag is set to strict.

Some APIs on api.twitter.com will accept cookies. So, this solves problem 1. Reading the JavaScript notes that the CSRF token is just a hash of the cookie csrf_id, which is NOT HTTPOnly. So, we can read the cookie as well.

SameSite doesn't kill everything! Think about the settings of cookies and protections in place, as doing security cross a large list of sub-domains is difficult. It must be well-thought-out to ensure that compromise on one subdomain doesn't affect the rest of the website.